Get in Touch
Third-party WhatsApp “Security Overlay” found to install malware
Non-vendor supported overlays of applications that offer additional features such as additional protection mechanisms like fingerprint unlock, disappearing messages, hidden channels/chats and emojis are nothing new. These overlays require users to trust third-party developers with access to the application and the data within it. FMWhatsapp offers several of these potentially desirable features, however, has been found to install difficult to remove malware.
A trojan with access to a user’s text messages would be able to subscribe to premium services, intercept MFA codes or send malicious SMS messages from your number. Usually, messaging apps have other permissions on the phone as well which would grant them further access.
It is hard for users to recognise the potential threat because the application delivers the functionality that it advertises.
Containment, Mitigations & Remediations
Malware has been seen to be persistent beyond devices being factory reset because it writes itself to the system partition. It also replaces the libc.so system library to block full access to the system partition to prevent the user from removing it.
Completely reflashing the Android system on infected devices is the most foolproof method to get rid of the malware.
Indicators of Compromise
Lots of attention is being paid to mobile devices by cybercriminals, private individuals and organisations, and Nation States, because of the value that users place on the devices and the nature of material and communications that users store on them.
– T1444 – Masquerade as Legitimate Application
– T1467 – Deliver Malicious App via Other Means
– T1509 – Uncommonly Used Port
Kaspersky FMWhatsApp mod for WhatsApp downloads Trojans
Kaspersky Triada Trojan in WhatsApp mod
Bleeping Computer Malicious WhatsApp mod infects Android devices with malware